What devices can I enroll in VSA 10 MDM?
You can enroll iPhones, iPads, and macOS devices. A list of supported devices depends on an OS version, not on a device model. To enroll a device the OS version should be:
-
iOS 4.0+
-
iPadOS 4.0+
-
macOS 10.7+
However, every feature, setting, or command has its own supported OS versions list. This one is just for enrollment.
Can I enroll a virtual machine into MDM?
No, most likely you will see the error when you try to install a profile like in the screenshot below. It is not our limitation, Apple returns the “Device is not supported” error. We’ll investigate if there is a workaround.
.png&size=38381&height=309&width=286&alt=)
What types of enrollment are available?
Enrollment types are:
-
QR Code
This method of enrollment is typically used for personal iOS and iPadOS devices (aka BYOD devices). -
Link
This method of enrollment is required for macOS devices but can also be used for iOS and iPadOS. -
USB using Apple Configurator
This method is typically used on business or corporate-owned devices and enables additional management capabilities. Only iOS and iPadOS devices are supported for this enrollment type.
Warning: USB enrollment will erase a device.
Should iPhone be powered on when we use USB enrollment?
It does not really matter.
When an iPhone is connected to USB, you should click prepare the blueprint, the device will be erased and the blueprint is applied. The device can be powered on later, but only after that, it will appear in VSA UI.
Should iPhone be initialized when we use USB enrollment?
No.
When an iPhone is connected to USB, you should click prepare the blueprint, the device will be erased and the blueprint is applied. The device can be powered on later, but only after that, it will appear in VSA UI.
Is it possible to enroll a device by USB without erasing it?
Apple recommends clearing the device when it is enrolled as supervised.
But this tricky workaround allows restoring the data from the backup and enrolling the device as supervised via USB, but you need an additional temporary ios device, and it might take quite much time as you need to make backups twice.
So, we need:
- The device that we want to enroll.
- Temporary iOS device. It might not be enrolled into MDM.
-
Ensure that Find My iPhone is off to avoid problems during enrollment.
-
Back up the main device using AppleConfigurator or Finder.
-
Restore this backup on a temporary device.
-
Ensure that Find My iPhone is turned off on a temporary device and then back up the temporary device using AppleConfigurator or Finder.
-
Restore the backup of the temporary device to the main device.
-
After restoration, when the device shows the Welcome screen on activation, connect it to Apple Configurator and enroll it using USB enrollment instructions in VSA X.
-
After activation, the device should appear in VSA X and contain restored data.
Does only macOS device support USB enrollment? Can it be done on Windows or Linux devices?
For USB enrollment we have to use Apple Configurator. And Apple made this application only for macOS.
What is a supervised device?
Supervised mode gives more options to manage the device. For instance, restart, shutdown, enable/disable Lost mode, play Lost mode sound will work only for supervised devices.
A macOS device is always supervised.
An iOS or iPadOS device is supervised if it is enrolled through USB with the “Supervised“ option checked.
You can find out if a device is supervised in the Asset Info section of the device card:
I installed a profile but the device does not appear in VSA UI.
There could be a delay in seeing an enrolled device or its data.
Firstly, Apple does not terminate its requests.
Secondly, VSA 10 has a 20-minutes cache and pings MDM services every 15 minutes to get device information. So if you enroll, unenroll, change lost mode, or perform any other actions with a device, there could be delays in the VSA 10 user interface.
If you were waiting for more than 1 hour and still do not see a device, please open a ticket providing a device Serial Number for investigation.
I see only the “Erase“ command for the device. Where are the others?
If an iOS or iPadOS device is enrolled using QR Code or Link, it will have only the “Erase” command. If it is enrolled through USB and Apple Configurator, available commands are:
-
Restart
-
Shutdown
-
Enable/Disable Lost mode
-
Play Lost Mode Sound (if a device with Lost Mode enabled)
-
Erase
It is an Apple limitation. QR Code enrollment is for personal devices and Apple does not allow to manage devices fully.
USB is for company-owned devices and only in this case, Apple give us full management capabilities.
If a macOS device is enrolled in MDM and does not have a macOS agent app installed, it will have these commands:
-
Restart
-
Shut down
-
Erase
If a macOS agent app is installed, it will have a list of commands available for the agent.
Can I enroll a macOS device in MDM if a VSA mac agent is installed?
Yes. To take advantage of full VSA management capabilities, you should enroll a macOS device into MDM and have an agent installed.
You can first install a macOS agent app and then enroll the device in MDM. Or you can do it vise versa.
You will see only one device for both cases.
I sent a command but a device did not execute it.
There could be several reasons what can get wrong:
-
To get and process MDM commands a device should be connected to the Internet. It can be a Wi-Fi, personal hotspot, or mobile network. An Apple Id or a SimCard is not required for MDM.
-
We send commands to Apple right after the user clicks the action button. But Apple does not determine when the command will be executed on the device, it might be run not immediately but with some delay.
-
If a device is in sleeping mode or turned off, it can not process commands.
In some cases, Apple sends the same command periodically until a device is awake.
In some cases, Apple returns a status that the device is unavailable. In that case, our MDM server will try to send command 4 more times:-
5 minutes after the first request
-
10 minutes after the first request
-
20 minutes after the first request
-
40 minutes after the first request
-
Can I find out that a device executed the command successfully? Or if it failed, get the reason.
No. It will be available in the upcoming releases.
What will happen when I click “Erase“?
It’s like a factory reset. All the data, e.g. photos, apps installed, accounts and MDM profile will be wiped off. It makes the phone as it is a new phone.
If you erase or unenroll the device, but still want to manage it, you should repeat the enrollment steps.
What is lost mode?
Lost Mode is a feature available on Apple devices, including iPhone, iPad, iPod Touch, and Mac, that you can use when your device is lost or stolen. It's part of Apple's "Find My" service. When you activate Lost Mode, the device is locked to prevent anyone else from accessing your personal data.
It is possible to enable Lost mode through MDM on an iOS or iPadOS device. And a custom message with a contact number can also be displayed on the Lock screen (the screenshot in the next question).
Is it possible to set up a passcode to unblock a lost-mode device?
No. Apple does not provide a way to set up a passcode for a device with Lost Mode. However, it is possible to set up a lock screen message or phone number in the confirmation popup after you click “Enable Lost Mode”.
How to unenroll the device?
To unenroll an MDM device, you should go to the settings of the device, find “VPN & Device Management”, open the MDM profile, and click “Remove Management”. After it, the device will be automatically removed from VSA 10 UI.
In the next versions, it will be possible to unenroll the device from the VSA UI.